Building Firewalls with iptables, Part 1 - Page 2

This depends on your individual flavor of Linux; a nice rc script does the job, or you can run it manually from the command line. Please consult the docs for your distribution. Part 2 in this series will have sample scripts.

TCP/IP

As always, the more you understand about TCP/IP, the more this stuff makes sense. iptables rules filter and match on packet headers and TCP/IP protocols -- any of them.

Installation

iptables is commonly included in Linux distributions; it would be very unusual to not have it. Run iptables --version to see what's on your system. If for some inexplicable reason you do not have it, see Resources at the end of this article.

Checking Rulesets

man iptables is a complete reference for all the commands and options, or run iptables --help for a quick reference. To view your existing iptables rules, run:

As shown in the above example, every packet must first traverse one of three built-in chains: INPUT, OUTPUT, or FORWARD.

Filter is the most commonly used table. Here is the basic syntax for all iptables rules:

iptables [-t table] command [match] [target/jump]

Not every piece of this is required, nor does it need to be in this order; however, this is the usual method, and as always, I encourage verbosity for the sake of clarity.

The filter table is the default if none is specified. The three most common targets in the filter table are ACCEPT, DROP, and REJECT. DROP drops packets dead, with no further processing. No messages are sent at all to anyone. REJECT sends back an error message to the sending host. DROP is very useful, although at times it may have undesirable side effects, such as leaving a messy trail of dead sockets.